Stagefright bug makes 95% of Android phones vulnerable to hacks

Six critical vulnerabilities have left 95% of Google Android phones open to an attack delivered by a simple multimedia text, a mobile security expert said, according to Forbes.

In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data. The vulnerabilities are said to be the worst Android flaws ever uncovered, Forbes reports.

Joshua Drake, from Zimperium zLabs said whilst Google has sent out patches to its partners, he believes most manufacturers have not made fixes available to protect their customers.

“All devices should be assumed to be vulnerable,” Drake, vice president of platform research and exploitation at Zimperium, told Forbes. He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are not affected, he added.

The weaknesses reside in Stagefright, a media playback tool in Android. They are all “remote code execution” bugs, allowing hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits with mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.

Depending on the MMS application in use, the victim might never know they had even received a message. Drake found that when the exploit code was opened in Google Hangouts it would “trigger immediately before you even look at your phone… before you even get the notification”. It would be possible to delete the message before the user had been alerted too, making attacks completely silent, he added.

Drake sent several vulnerability reports along with patches to Google on April 9. Just a day later, according to Drake, Google confirmed the patches were accepted and would be included in a future release. He reported a second set of issues to Google on May 4, and on May 8 Google confirmed patches were being scheduled. A total of seven vulnerabilities have fixes ready.